The facts about Citrix Access Gateway, the Generic hardware it's built on, and running it in Vmware

There is a lot of (mis)information out there about the Citrix Access Gateway (Citrix's SSL VPN appliance) with regards to how it works and whether you can make your own in VMware. In this article I plan to clear up all the uncertainty with real information and real facts, both from the technology and legal standpoints.

There is a lot of (mis)information out there about the Citrix Access Gateway (Citrix’s SSL VPN appliance) with regards to how it works and whether you can make your own in VMware. In this article I plan to clear up all the uncertainty with real information and real facts, both from the technology and legal standpoints.

The Citrix Access Gateway “Appliance”

Citrix calls their Citrix Access Gateway (CAG) an appliance. The term “appliance” has many uses in the IT world, but the essence of the term is that an appliance is an IT device that you turn on and it just works. Period.

When people think of an IT appliance, they mostly think of things like routers or firewalls or wireless access points. They don’t think of Pentium-based Windows or Linux servers. Of course a router and a Windows Pentium server have many things in common. They both have CPU, memory, and an OS stored on some kind of media. The main difference is that an appliance usually has a custom or real-time OS that is stored in NVRAM as opposed to something like Windows stored on a hard drive.

The CAG is an appliance in practice. What that means is that it is used like an “appliance,” although some might argue that calling it an “appliance” is a stretch. Consider these facts:

Fact: This particular Supermicro server configuration includes an Intel P4 processor, 1GB of memory, a 40GB hard drive, a CD-ROM drive, and a floppy drive.

Fact: The operating system that powers the Citrix Access Gateway is a hardened version of Linux. (Hey, doesn’t the GPL specify that Citrix needs to give away their source code with this? ..That’s an article for another day.)

My point is that the Citrix Access Gateway is not an “appliance” in the truest sense of the word. It’s just an Intel server running Linux that’s supposed to be treated like an appliance. Fair enough.

The 227% Citrix “Tax”

The Supermicro 5013C-M chassis can be bought online for about $600. Throw in another $500 or so for the memory, hard drive, and CPU, and you’re looking at about $1100 in hardware. Citrix charges $2500 for this $1100 device (except they also throw in a custom plastic bezel that snaps on the front that says “Citrix”).

So is it fair for Citrix to take an $1100 device and mark it up over 200%? That depends on your perspective. On one hand, Citrix has put considerable time and effort into the software that runs on this device. So in essence the $2500 Access Gateway can be viewed as a pass-through cost of $1100 for hardware plus $1400 for the CAG server software.

The problem with that line of thinking is that it doesn’t really jive with the licensing policies in the rest of the Access Suite. (The CAG is part of the Citrix Access Suite.) In the rest of the Citrix Access Suite, the licensing is such that you pay for each concurrent user, and then you are allowed to build as many servers as you want to support your users. From a licensing standpoint, there’s nothing wrong with buying 10 user connection licenses and then building 20 servers. As long as you don’t have more than 10 concurrent users across all 20 of your servers, you’re legal.

The CAG’s user-based licensing is no different. That $2500 for the CAG is for the hardware only—that $2500 does not include any connection licenses. In other words, for $2500 you buy a Taiwanese paperweight. If you want to actually use the thing then you need to buy connection licenses which start at $90 per user.

So in that sense, the CAG is no different than the other members of the Citrix Access Suite, and Citrix makes their licensing money off of your connection licenses, just like the other products in the suite.

So can I just build my own CAG on my own hardware?

What makes this more interesting is that the CAG “appliance” ships with a CD-ROM that, when booted, will wipe out and image whatever device it’s inserted into. Also, when you download updates to the CAG from Citrix, you can actually download ISO images that you are instructed to burn onto a CD-ROM. The upgrade process is to insert the CD-ROM into your CAG “appliance” and then to restart it. The CD-ROM re-images the appliance with the new CAG image.

This leads to an interesting question. Is it okay to buy a Supermicro SuperServer 5013C-M, a P4 processor, a 40GB hard drive, and a gig of RAM and make your own CAG while saving about $1400 in hardware costs?

From a legal standpoint, the answer is “No.” The license agreement that is included with the Citrix Access Gateway software clearly states that you can only use the server software on a device with a CPU that you bought from Citrix.

From a technical standpoint, however, there is nothing stopping you from doing this.

Before I go on, I understand that a lot of people at Citrix will be upset to read this. It is in Citrix’s interest (for valid reasons that I will get to in a moment) for the community to view the CAG as a real appliance and not as a Supermicro 5013C-M running Linux. However, Citrix not admitting this does not make it less true, and it does not stop the rumors from half-informed people that are easily uncovered via basic Google searches. So I view my purpose to get ALL the REAL information out there—technical possibilities, legal ramifications, and why you wouldn’t want to do this on your own.

Also, while I’m off on this tangent, in case anyone is wondering whether I “hacked” or “reverse engineered” my CAG to figure out that it was a Supermicro 5013C-M, the answer is “no.” I just turned it over and read the sticker from Supermicro that had the specific make, model, and serial number.

When will Citrix start enforcing the use of their own hardware?

Some people have suggested that Citrix might start building a custom BIOS or some other mechanism into these servers to ensure that the CAG software is only installed onto a server that was purchased from Citrix. The problem with this is that there are thousands of these CAGs in the field now that do not have custom BIOSes, so if Citrix started making a protected version of their CAG server software then they would have to do field replacements of all the current devices.

A more likely outcome is that Citrix will release a new CAG that’s based on NetScaler hardware (more of a “real” appliance) that will be a different platform, and the current CAG will be end-of-lifed. I think they’re planning on calling this a NetScaler 2000 series, although I need to do more research to work out all of these details.

The bigger question is why does Citrix care about whether you use their server or a generic server (besides the fact that they are undoubtedly making several hundred dollars in profit for each CAG device they sell)? The main reason has to do with support. Can you imagine the nightmare it would be for Citrix support if they publicly endorsed, encouraged, or even acknowledged that you could install a CAG onto non-supported hardware? They would have to ask people on the phone about the type of device they’re using, and the callers would probably lie anyway.

What about installing the CAG into a VMware session?

The last “fact” that I want to discuss has to do with running the CAG in a VMware session. Again, let’s be perfectly clear about two facts here:

Fact: It is possible to run a CAG in a VMware session.

Fact: Citrix is doing this internally for testing and training purposes.

Should you do it? No. Why not? Because it violates the license agreement as it’s currently written.

Since the Supermicro 5013C-M server is just a pretty generic Intel server, it is possible to build a VM with similar specs to the CAG and then to “boot” the CAG installation CD-ROM to install the CAG into that VM. (Just configure the appropriate NICs in the VMX file and you're all set.)

Remember though that doing this is a direct violation of the Citrix license agreement. But again I wanted to be clear here that this technically works since it’s easy to find descriptions of this via Google, and unfortunately those descriptions don’t include the full legal and technical conversation presented here.

The other important fact about running a CAG server in a VM is that performance would be terrible. Without getting into all the details, the short explanation is it has to do with the fact that the virtualization layer has to translate TCP/IP calls between the various virtualized and physical processor ring layers on the host, and this gets expensive in terms of performance. (This performance problem goes away in the new Vanderpool Xeon CPUs, but those are so expensive that you might as well just buy a CAG.)

Join the conversation

40 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

Very interesting article - especially when considering our production unit is in production and our demo unit is always out on demo which makes it hard to train staff on the unit - I'd be tempted to break the license agreement to learn how to support these better via using vmware or cheaper hardware - maybe I'd sell more of them too...

I can also see that as much as we <cough> *might* use VMWare to test functionality on CAG's, Citrix can clearly not condone the use of this outside the actual unit, because as you rightly point out it would be a nightmare to support. Having said that, it's difficult enough to support now, because the Marketing with this device has lead to some rather high expectations of what it can and can't do..... but as you said, that's a story for another day.

And here's another shot of the CAG, oops... F-Secure Messaging Gateway

I have long thought that this would be the real world space that Linux would be moving into. Ever tried to install a modem on to Ubuntu? It's a nightmare. However the application which Citrix has works fantastically well because the hardware is standard and the image pre-configured.

I think theyÃ¢â¬â¢re planning on calling this a NetScaler 2000 series, although I need to do more research to work out all of these details.

The latest I've heard is that the 2000 series will be the existing CAG appliance. A new 5000 series will be available for 'Access Gateway Advanced', which is more scalable (it is actually a Netscaler 7000 series, but with CAG software).

Also, why not go the whole hog and blow the licensing rules away completely. If you have a spare CAG lying around, blow a Microsoft or Linux OS onto it and use it to run VMWare Server (free now !!). You can then host a CAG VMWare image and a couple of other VM's on the same piece of hardware for training purposes. works great.

From a legal standpoint, the answer is Ã¢â¬ÅNo.Ã¢â¬Â The license agreement that is included with the Citrix Access Gateway software clearly states that you can only use the server software on a device with a CPU that you bought from Citrix.

I don't think that Citrix are gonna mind that much if it becomes plain knowledge that a CAG can be run as a VMWare image. Performance will suck on a VM as you rightly state. At the end of the day, if thousands of people run this configuration, information about the CAG becomes more widespread, they may well see that the CAG is actually a great SSL VPN solution and go out and buy the real thing anyway.

Moving to the netscaler hardware is the logical choice as some of the scalability issues with the CAG are hardware related. VMware certifies that specific hardware will work with its software, how about "CAG, certified to run on the HP DL360"

NetScaler has always had an SSL-VPN option for their hardware, even before Citrix bought them. Their SSL-VPN is, at least today, completely separate from the Citrix Access Gateway. I'll post more on this soon..

Citrix Wannabe.... The Netscaler line is now integrated into the AG line, as far as the marketeers go.

AG standard is just the CAG device, running as an SSL VPN appliance. AG Advanced is a 2000 (original NET6 CAG) or 5000 series (Netscaler platform running AG code!) bundled with the AACo software. The 5000 series is a more scalable platform. AG Enterprise is a 7000/9000 series Netscaler or above, hugely more scalable, but running the Netscaler VPN. This VPN solution is great, but totally different to the original AG SSL VPN, both from a usability and a manageability perspective.

Citrix will be integrating the best of the two different VPN solutions over the coming months and I'm sure that the higher end boxes too will be integrated into the AACo offering at some stage.

Brian mentioned that he will be digging into the Netscaler VPN at some stage, good stuff.

Its amazing how far Brian has come from proclaiming in his own forum that the CAG was running BSD, to being almost correct about how to virtulize the CAG.

As a previous poster has mentioned "thunking" has nothing to do with network requests. Also the virtualization overhead on a device like the CAG is not terrible as brian has mentioned, if you take the time to build your own images correctly and run the VM on a ESX server with decent hardware you will actually see dramatic improvements in speed over the "REAL" CAG (yes you can run this on ESX, however you need to recompile the linux kernel and various other things that I wont detail here).

With regards to the GPL issue that Brian mentioned, Citrix is not obligated to release their code UNLESS their code modifies any GPL licensed code. Example, simply writting an executable that runs on linux does not mean the programmers need to release the code, however writting a custom patch to the httpd daemon (apache for example) may require you to release your source code, since your code builds apon a GPL release.

I once cracked open a WatchGuard FBII and discovered that I could overclock the CPU, upgrade the RAM and do all kinds of nifty things. I even developed a kit to upgrade the FBII and put it out on eBay.

My first "customer" was the legal department of WatchGuard, threatening to sue me because I infringed on their Patent protections by opening their box. Needless to say I withdrew my eBay ads right away.

I'm sorry, did I miss something here? Point one - quibbling over what an "appliance" is. I guess, if it walks like a duck, and swims like a duck, I won't be rifling through pinfeathers to see if it's a chicken. And price differentials? If you go to Mouser's, buy all discrete components, reverse-engineer the ASICS, etc., you can probably save a bundle on a PIX515, too.... And sure, it's a swell thing to show somebody that you've virtualized a CAG, but are you really gonna use it virtualized? Sorry, I have to go now; I found a site that shows me how to pressurize 2liter soda bottles for use as rockets. Now THAT I can use. Yonderbox

No reverse engineering of ASICS needed.. just build a Cisco PIC 520 (outdated now but with a faster CPU its obviously more scalable), there's tons of information out there on the FrankenPIX ([link=http:

CAG ReciptCitrix Access Gateway 2000 Hardware.........$1100+Citrix Development Costs, Marketing, Etc @ 127%........$1397+Total MSRP.........$2497=Othen than that I'm very glad to see such a forthright discussion of these potential issues... I think the best that we can hope fo would bo some limited permission from Citrix to use Virtual CAG's for functional POC's, Lab work or training classes but you can bet that I am NOT holding my breath...

"Appliance: an instrument or device designed for a particular purpose"

That's why my toaster is an appliance... it's great for toasting bread, but it sucks at frying eggs; that is, it was designed "for a particular purpose". So in this sense a CAG IS an appliance since it was designed and it is supposed to be used for a particular purpose.

But I would have to agree with Brian that the Netscaler (or a Cisco Router) is more of an appliance since it goes to a lower level to build a unique OS/Kernel and not build on top of a generic one, as is the case on the CAG with Linux.

Where did Brian mention thunking? He simply stated "...it has to do with the fact that the virtualization layer has to translate TCP/IP calls between the various virtualized and physical processor ring layers on the host...". This statement is 100% correct. VMs run in ring 3 and the vmkernel runs in ring 0. Any packet that leaves that VM must have a context switch in the vmkernel to get the packet out on the physical wire. And yes, this adds overhead.

I would like to see some facts about VMWare being slow. We use ESX today in production and see performance increase, especially with our whole Citrix farm which is virtualised....and this includes the current Secure Gateways. We have bought 2 of the new AG's and will be doing the right thing, but I am still of the opinion based on experience that ESX is not slow!!!

Jeff, do you know of any comparisons between CAG and other SSL Gateway Products, i.e. the AEP Netilla product that was shown at briForum? Do you recommend the CAG, or is there another device that you prefer, or just use CSG?

ORIGINAL: Jeff Pitsch

Gah wish these comments had what article the user was responding too.

Your confusing technology in your post. CAG is the appliance, CSG is simply software. You have to buiild your CSG box, there is no other way to get it installed.

As for CAG, MSRP is high but I have yet to meet any company buying them at the MSRP. They practically given away.

Jeff, do you know of any comparisons between CAG and other SSL Gateway Products, i.e. the AEP Netilla product that was shown at briForum? Do you recommend the CAG, or is there another device that you prefer, or just use CSG?

It sort of depends upon someone's needs. If a company is simply trying to secure their ICA traffic and has no needs for any additional protocols/applications to be tunneled AND they have subscription advantage, then CSG fits the bill perfectly. If they have needs for additional applications/ports to be tunneled then CAG (or an alternative SSL or IPSec VPN) becomes a contender.

I'm guessing this was in response to the idea of building your own CAG in VM versus running the appliance. I'd expect that there are very few people trying to run CAG in VM in a pure production capacity solution. Test/Dev, etc. it makes a lot of sense, pure production it probably doesn't make sense.

Jeff, do you know of any comparisons between CAG and other SSL Gateway Products, i.e. the AEP Netilla product that was shown at briForum? Do you recommend the CAG, or is there another device that you prefer, or just use CSG?

I wish I did. I was in the session with Netilla but I was only half listening so I wouldn't want to speak good or bad on that product.

As with anything, you have to fit to your needs. If all your looking for is encrypting ICA traffic, then CSG is the way to go. If your looking for more, then CAG and/or AAC is the way to go. There are other products out there like Aventail (sp?) that do the same things as CAG but with better client support. CAG is currently lacking in client support (windows only client right now) and that is turning some companies off.

Yes me, but there's the problem that you can't force the Virtual Server R2 to emulate an "e1000" ethernetadapter... and then it comes the message "device e1000 seems not to be present, delaying eth0 initialization" and it is no netwerk available...

VMWare is a dog when it comes to perofmring high disk I/O applciations. Look at somethign like Virtuozzo from SWSoft ([link=http: Our overhead stays at about 3% with Virtuozzo even on Exchange, Oracle and CRM. We couldn't get lower than about 15-20% with ESX.

I have long thought that this would be the real world space that Linux would be moving into. Ever tried to install a modem on to Ubuntu? It's a nightmare. However the application which Citrix has works fantastically well because the hardware is standard and the image pre-configured.